1

I have a bit of an odd problem that I need an elegant solution to. I am using a build tool that requires logging in to a service (AWS CodeArtifact specifically). When I login via CLI, it sets an environment variable - let's call this TOKEN. When I run any build, it requires presence of TOKEN to authenticate.

Now, after logging in, builds in the same shell work but obviously, builds in new shells (which aren't sub-shells) fail because TOKEN is of course not defined. I'm looking at ways to solve this; ideally a solution that does something like this:

  1. Login shell: after logging in, save TOKEN in ~/.token
  2. All shells: run something every minute which sets TOKEN to the value in ~/.token

I have 2 questions:

  • Is this the best way - or is there something more elegant?
  • If so, what's the best way to do (2) above?

The final catch is that this is something I'll be distributing to end users on their machines, so it would be great if its easily scriptable.

Thanks in advance - stay safe!

ragebiswas
  • 3,818
  • 9
  • 38
  • 39
  • the `TOKEN` var must have already been `export`'ed otherwise your build command cannot access it. so it does not work for you? – pynexj Aug 31 '20 at 03:51
  • Whats' the build tool? Many tools can use an environment variable or a config file instead. – Benjamin W. Aug 31 '20 at 04:21
  • why wouldn't using a file be elegant? the only thing I would take into account is that given a moment the file can only contain one data. it would be necessary to provide either a mechanism with an instance id in file name which allows to have several files or a lock for synchronization. – Nahuel Fouilleul Aug 31 '20 at 06:26
  • The build tool is `maven`. Even if its an env var, the problem is syncing that env var to all open shells. @NahuelFouilleul I guess file is the best way. Do you guys have any recommendations for step (2) - what's the best way to do that? Via `watch` or some other command? – ragebiswas Aug 31 '20 at 07:35
  • not sure to understand the (2), why not to read when the variable is needed – Nahuel Fouilleul Aug 31 '20 at 07:42
  • Because I want my users to just run `mvn compile` without setting the env var themselves from the file first. As an admin, I'll add to their profile so that the variable is updated every minute or so. – ragebiswas Aug 31 '20 at 08:01
  • 1
    looking at mvn script seems sources /etc/mavenrc or ~/.mavenrc so variable may be set in these scripts – Nahuel Fouilleul Aug 31 '20 at 08:13
  • 1
    @ragebiswas : [This link](https://askubuntu.com/questions/853102/how-do-i-run-a-command-before-or-after-every-command-written-in-the-console) discusses, how to run a function before the prompt is written, respectively before a command is executed. Maybe you can use this strategy to set your `TOKEN`? – user1934428 Aug 31 '20 at 11:04
  • Thanks @NahuelFouilleul - this is good, was looking at a more generic solution. @user1934428 - I had forgotten about `PROMPT_COMMAND` - this seems to be the best way. Can you please reply as a solution so I can accept? – ragebiswas Aug 31 '20 at 12:15

1 Answers1

1

When question 2 is answered, the solution for question 1 is simple: Start writing a function that will return the token.

TOKEN=$(get_token)

The first implementation will recalculate a fresh token without any caching or sharing.

How often do you need the token? When you don't build every minute, an extra job (cronjob) refreshing the token every minute is not needed. In such a case you can refresh the token before each api-call by calling the function. You do not need to store or share it.
When you do need the TOKEN very often, you can modify the function. Using a file is straight forward, but you can also use another solution like a server (when you want the token available on remote hosts for users who have been identified with some other token).
How to automate the manual process for getting a new token, is the next challenge.
Can you find a method, where you do not need to enter a password (something like using .aws/config or (better) assigning the right roles to your server)? Or do you need to script the call with expect?
The API call get-authorization-token requires the codeartifact:GetAuthorizationToken and sts:GetServiceBearerToken permissions.

Walter A
  • 19,067
  • 2
  • 23
  • 43